Study on Signature Verification Process for the Firmware of an Android Platform.

Recently, Android is expanding its application area including vehicle infotainment system, smart TV, AI speaker as IoT devices as well as mobile terminals. To maintain and support these systems, the manufacturer distributes the firmware through the Android firmware build framework and updates after evaluating firmware integrity by a signature verification process. However, attackers potentially falsify the firmware and raise critical security problems on mobile terminals in cases that developers use the public test key or SDK key to sign the firmware for release, due to lack of security readiness of mobile manufacturers. This paper analyzes the firmware signing, verification and update process of the Android platform, introduces vulnerabilities invented when an unsafe key is used and implements an evaluation tool for signature verification to find the firmware features if signed by an unsafe key.